* Philip Brown ([EMAIL PROTECTED]) wrote: > Glenn Lagasse wrote: > > * Philip Brown ([EMAIL PROTECTED]) wrote: > >> > >> Most people dont give a damn about "finer grained control". they just want > >> to get done, what needs to get done, in the simplest way possible. > >> sudo is the best fit for it. > >> > >> "alias sudo=pfexec", does not meet that want, as well as regular sudo > >> does. > > > > And how exactly does it not meet that want? > > Starting with a fresh, untouched solaris install, that has just had "sudo" > dropped on it: lets say I want to give someone sudo access. > > I edit ONE file, and add ONE line. > done. > Also, you can rdist/rsync out a 'global' sudoers file. > Simple, yet very flexible.
Ok. On a OpenSolaris 2008.05 system that has rbac installed by default and with root configured as a role (which it is if you create an initial user at install time): # usermod -R root username This gives the user root privileges, just like sudo. Seems pretty simple to me, just different. I believe (haven't tested) that you can also rdist/rsync /etc/user_attr which I think is the equivalent to /etc/sudoers. Could we have a simpler interface for more complex rbac configurations (instead of using the cli via rolemod, usermod, etc or editing the config files), probably. Sounds like a nice RFE to me (if something doesn't already exist). > Last time I checked, RBAC was not nearly that simple, and does not lend > itself to scalability of administration across multiple machines. It's a > very "local-only" solution. sudo is *designed to be* a multiple-machine > solution. RBAC does not appear to be so. I'm very much a novice when it comes to RBAC, I'll let others speak to it's scalability. From what little I've seen, I think it's perfectly scalable. Again, just different. FWIW, I'm not against adding sudo. I just don't think the existing mechanism we have is that unusable though it is different. Cheers, Glenn _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
